Archive for January, 2012

The most radical global attempt ever to regulate the exploitation of personal information is now in the public domain. Following several weeks of increasing expectation about the content of the proposals, the European Commission published this morning two legislative documents: a Regulation setting out a general EU framework for data protection and a Directive on protecting on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Looking at the Regulation, the immediate reaction is that after many years of a principles-based approach, the new law will go much further than that and establish a new system of powerful rights and very prescriptive and uniform obligations across the EU.

The draft Regulation sets out very clearly its extra-territorial reach, which as Viviane Reding put it, will apply to companies that are active in the EU market and offer their services to EU citizens – although it is really ‘EU residents’. What is also obvious is that the new law is targeted at companies operating on the internet and aims to shake up the way they tackle privacy issues.

The bulk of the proposed Regulation brings with it a whole new set of practical obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers. Plus of course, nearly immediate data breach notification. These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

The prospect of substantial monetary fines based on the annual worldwide turnover of a company (up to 2%) may contribute to get the attention of some decision makers, but the real test for the proposed framework will be its viability in an ever-changing data reliant world.

This is by no means the end of the road. My expectation is that 2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders.

The European Data Protection Supervisor (EDPS) has prepared a public inventory and accompanying note setting out its key issues for 2012. Given that the EDPS is one of the most influential figures in the data protection world, this is a reflection of what is likely to be hot in data protection during the next twelve months.

The four areas of strategic importance that the EDPS has identified are:

1. A completely new legal framework for data protection

Once the Commission has finalised its proposal for a new legislative framework (expected in the coming weeks), the EDPS will issue an opinion giving particular attention to: trans-border data processing activities, third-country transfers, data subjects’ rights, data controllers’ obligations and mechanisms with regard to cooperation and consistency. However, with a new framework likely to be several years in the making, this will no doubt still be an issue in 2013 and beyond.

With the European Commission’s agenda currently concentrating on immigration/border control and anti-terrorism/internal security, the EDPS states that in 2012 it will focus on initiatives to ensure the balance between security and privacy is maintained. The EDPS therefore seems prepared to exert its independence from the Commission and to fight the corner of the data protection principles.

4. Financial sector reform

During 2011 the EDPS was concerned about data protection issues arising from the development of financial legislation led by the Commission. In 2012 it plans to monitor developments by issuing opinions on proposals concerning the regulation and supervision of financial markets and actors.

Time will tell whether the EDPS’ actions in 2012 match its forecast, or rather whether an unforeseen event or new political mood will actually determine its conduct to a greater degree.

The ICO has introduced informal advisory visits aimed at small-to-medium sized businesses, charities, not-for-profit organisations and public authorities that would like some help to improve their data protection practices.

While it is open to organisations to apply for a full-blown audit, the ICO makes the point in its published guidance on consensual audits that it takes a risk-based approach to such audits. In practice, this is likely to mean that the ICO will give priority to conducting audits of organisations that it considers to be high risk.

While the ICO guidance on advisory visits states that the ICO will give priority to organisations that will benefit most from a visit, the visits are likely to offer the opportunity for more audits of organisations perceived as being low risk who wish to benefit from the knowledge and experience of the ICO’s good practice team.

According to ICO guidance, an advisory visit would take one day and would look at three main areas as follows: Security; Records Management; and Requests for Personal Data. Within each of these areas, the ICO would look at what policies and procedures are in place in order to check that they are appropriate, verify that they are being followed and provide practical advice.

The one day visit would then be followed up by a report which would summarize the findings and identify areas for improvement. The fact that an advisory visit has been conducted with a particular organisation would be published on the ICO’s website. With the consent of the organisation, the ICO would also publish a short summary of the visit (which would include the background to the visit, the areas reviewed and a summary of the findings identifying good practice and areas for improvement.)

Organisations can register their interest in an advisory visit by sending an email to the following address: advisory@ico.gsi.gov.uk.

The ICO has produced a guide to advisory visits which can be found here.